> On June 23, 2016, 12:17 a.m., Madhan Neethiraj wrote:
> > >> However, this does not return the user groups correctly for testing
> > >> purposes
> > Can you please add details of the tests that are affected by the current
> > implementation? It will help determine if changes to plugin code are
> > justified. Ideally, any such change should only be scoped to tests.
>
> Madhan Neethiraj wrote:
> Formatting got messed up. Here is my comment again:
>
> Can you please add details of the tests that are affected by the current
> implementation? It will help determine if changes to plugin code are
> justified. Ideally, any such change should only be scoped to tests.
Hi Madhan,
Thanks for taking a look. I have some tests which I'll donate to Ranger in a
bit, which start a mini cluster using HBaseTestingUtility. The problem comes
when I am trying to test authorization, so for example running some HBase
client query via:
UserGroupInformation ugi = UserGroupInformation.createUserForTesting(user, new
String[] {"IT"});
ugi.doAs(...)
In this case, Ranger does not pick up that the user has group "IT". It seems to
check to see if the user actually exists and it only sets the groups if it
does. Therefore it's not possible to run any tests. Querying UGI as per my
patch picks up the group appropriately. Note that the Hive plugin does query
the UGI to get the group names, which is why these kind of tests work fine with
Hive.
If you object to the patch, then I can instead submit a patch to at least make
the behaviour of AuthorizationSession pluggable. So I could add a
createAuthorizationSession() method to the RangerAuthorizationCoprocessor to
make it easily overrideable in a test?
Colm.
- Colm
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49079/#review139187
-----------------------------------------------------------
On June 22, 2016, 10:48 a.m., Colm O hEigeartaigh wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49079/
> -----------------------------------------------------------
>
> (Updated June 22, 2016, 10:48 a.m.)
>
>
> Review request for ranger.
>
>
> Bugs: RANGER-1051
> https://issues.apache.org/jira/browse/RANGER-1051
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently, in the HBase plugin, we get the user groups by querying the
> HbaseUserUtils. However, this does not return the user groups correctly for
> testing purposes, when creating users via UserGroupInformation. If
> HBaseUserUtils does not return any group information, then we should fall
> back to checking the user's UGI groups.
>
>
> Diffs
> -----
>
>
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
> fdf1527
>
> Diff: https://reviews.apache.org/r/49079/diff/
>
>
> Testing
> -------
>
> Tests done locally, I'll submit Ranger tests in due course.
>
>
> Thanks,
>
> Colm O hEigeartaigh
>
>
